Lab5-4.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 5.4 Enhancing Router Security
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab5-4/workingconfig
[[3725]]
# Specify 3725 IOS image on Linux here:
image = /opt/dynamips/images/c3725-ad.bin
ram = 256
idlepc =0x60bf8d58
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router R1]]
model = 3725
console = 2001
f0/0 = R2 f0/0
[[Router R2]]
model = 3725
console = 2002
Objectives
‧ Implement Cisco IOS login enhancements
‧ Enforce a minimum password length
‧ Modify command privilege levels
‧ Configure a banner
‧ Configure a router to use SSH
‧ Enable password encryption
Scenario:
‧ Enforce a minimum password length of eight characters.
‧ Display a security banner stating that unauthorized use is prohibited and prosecutable and that the use of this device is monitored and will be used as evidence.
‧ Permit only secure management methods. No management passwords must be sent or stored as clear text. Anti-replay measures must be taken.
‧ Login procedures must be guarded against denial of service (DoS) attacks.
Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host R*
Step 1: Configure the Physical Interface
R1:
interface fastEthernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
R2:
interface fastEthernet 0/0
ip address 192.168.10.2 255.255.255.0
no shutdown
Step 2: Telnet to R1
R2:
telnet 192.168.10.1
Trying 192.168.10.1 ... Open
Password required, but none set
For this lab, use the local username database. Another option is to configure communication to a RADIUS or TACACS+ server for AAA services. At the line configuration prompt, enter the login local command to enable local authentication.
R1:
username cisco password cisco
!
line vty 0 4
login local
logging synchronous
R2:
telnet 192.168.10.1
Trying 192.168.10.1 ... Open
User Access Verification
Username: cisco
Password: cisco
R1>enable
% No password set
R1>exit
R1:
enable secret cisco
R2:
R2#telnet 192.168.10.1
Trying 192.168.10.1 ... Open
User Access Verification
Username: cisco
Password: cisco
R1>enable
Password: cisco
R1#
Step 3: Configure Cisco IOS Login Enhancements
Enabling TCP keep alives causes the router to generate periodic keep alive messages, letting it detect and drop broken Telnet connections. This frees up hung telnet sessions.
R1:
R1#show login
No login delay has been applied.
No Quiet-Mode access list has been configured.
Router NOT enabled to watch for login Attacks
The login block-for seconds attempts tries within seconds command, issued in global configuration mode, allows the activation of all the other login security features. Configure R1 using the following, which blocks all login attempts for 30 seconds if there are two failed login attempts within a 15 second time period.
R1(config)#login block-for 30 attempts 2 within 15
Test this configuration by attempting to telnet to R1 from R2.
R2#telnet 192.168.10.1
Trying 192.168.10.1 ... Open
User Access Verification
Username: test
Password:
% Login invalid
Username: test
Password:
% Login invalid
[Connection to 192.168.10.1 closed by foreign host]
R2#telnet 192.168.10.1
Trying 192.168.10.1 ...
% Connection refused by remote host
you can set up an access list that permits trusted hosts to access the router, even in Quiet Mode. Issue the login quiet-mode access-class acl command in global configuration mode on R1. The access list specifies the source of trusted connections.
R1(config)#login quiet-mode access-class 1
R1(config)#access-list 1 permit 192.168.20.0 0.0.0.255
Change the delay to 3 seconds using the login delay seconds command in global configuration mode. Also, issue the login on-failure log command to have the router log failures.
R1(config)#login delay 3
R1(config)#login on-failure log
Verify the configuration by failing login to R1.
R2#telnet 192.168.10.1
Trying 192.168.10.1 ... Open
User Access Verification
Username: test
Password: test
% Login invalid
Username: test
Password: test
% Login invalid
[Connection to 192.168.10.1 closed by foreign host]
R1#show login
A login delay of 3 seconds is applied.
Quiet-Mode access list 1 is applied.
All failed login is logged.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 15 seconds or less,
logins will be disabled for 30 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 2 seconds.
Login failures for current window: 0.
Total login failures: 6.
Step 4: Enforce a Minimum Password Length
You can configure a minimum password length on a router with the global configuration command security passwords min-length size.
R1(config)#security passwords min-length 8
R1(config)#username cisco2 password cis
% Password too short - must be at least 8 characters. Password configuration failed
R1(config)#username cisco2 password ciscocisco
R1(config)#no username cisco2 password ciscocisco
R1(config)#no security passwords min-length 8
Step 5: Modify Command Privilege Levels
By default, commands are either privilege level 1 or 15, depending on how secure the command needs to be.
R1#show privilege
Current privilege level is 15
You can set different privilege level passwords by using the enable secret level level password command in global configuration mode. Set the password for privilege level 5 to “cisco5”. Then, issue enable 5 to get to privilege level 5.
R1(config)#enable secret level 5 cisco5
R1>enable 5
Password: cisco5
R1#show privilege
Current privilege level is 5
R1#
You can change command privilege levels for specific command sequences with the privilege prompt level privilege command command in global configuration mode.
R1#enable 15
Password: cisco
R1#configure terminal
R1(config)#privilege exec level 5 configure terminal
R1(config)#privilege configure level 5 interface
R1(config)#privilege interface level 5 shutdown
Using either the enable level command from the user exec prompt or the disable level command from the privileged exec prompt, change your user privilege level to 5 and attempt to deactivate the interface.
1#show privilege
Current privilege level is 15
R1#disable 5
Current privilege level is 5
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#?
Configure commands:
atm Enable ATM SLM Statistics
beep Configure BEEP (Blocks Extensible Exchange Protocol)
call Configure Call parameters
default Set a command to its defaults
dss Configure dss parameters
end Exit from configure mode
exit Exit from configure mode
help Description of the interactive help system
interface Select an interface to configure
netconf Configure NETCONF
no Negate a command or set its defaults
oer Optimized Exit Routing configuration submodes
sasl Configure SASL
R1(config)#interface fastEthernet 0/0
R1(config-if)#shutdown
R1(config-if)#no shutdown
R1#enable 15
Password: cisco
R1#show running-config | include privilege
privilege interface level 5 shutdown
privilege configure level 5 interface
privilege exec level 5 configure terminal
privilege exec level 5 configure
Step 6: Create a Banner
You can create a banner for users connecting to the router with the banner character command in global configuration mode.
R1(config)#banner ~
Enter TEXT message. End with the character '~'.
CCNP Lab Router
UNAUTHORIZED ACCESS PROHIBITED
~
Try connecting to R1 from R2.
R2#telnet 192.168.10.1
Trying 192.168.10.1 ... Open
CCNP Lab Router
UNAUTHORIZED ACCESS PROHIBITED
Step 7: Enable SSH
First, set the domain name for the router using the ip domain-name name command in global configuration mode.
R1(config)#ip domain-name cisco.com
Next, generate RSA encryption keys with the crypto key generate rsa command in global configuration mode.
R1(config)#crypto key generate rsa
The name for the keys will be: R1.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
*Mar 1 00:59:50.447: %SSH-5-ENABLED: SSH 1.99 has been enabled
On R1, you can view the crypto keys generated with the show crypto key mypubkey rsa command.
R1#show crypto key mypubkey rsa
For enhanced security, force the VTYs to accept only SSH traffic by using the transport input type command in line configuration mode.
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
On R2, you can try to connect to R1 with SSH by using the ssh –l username hostname command.
R2#ssh -l cisco 192.168.10.1
Password: cisco
CCNP Lab Router
UNAUTHORIZED ACCESS PROHIBITED
R1>exit
[Connection to 192.168.10.1 closed by foreign host]
R2#
Step 8: Encrypt Passwords
R1#show running-config | include username
username cisco password 0 cisco
Secret passwords do not show up unencrypted, because they already have the MD5 algorithm performed on them.
R1(config)#service password-encryption
R1#show running-config | include username
username cisco password 7 070C285F4D06
To see how easy it is to decode a Cisco level 7 password, go to google.com and type in, “cisco level 7 password”.
http://www.ifm.net.nz/cookbooks/passwordcracker.html
Final Configurations
R1:
service password-encryption
!
hostname R1
!
!
enable secret level 5 5 $1$QAtp$g7h6Hncph5J9lSC3nCRN7.
enable secret 5 $1$I.lV$lyyYElwe93sVql3r7UGPu/
!
no ip domain lookup
ip domain name cisco.com
login block-for 30 attempts 2 within 15
login delay 3
login quiet-mode access-class 1
login on-failure log
!
username cisco password 7 070C285F4D06
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
!
access-list 1 permit 192.168.20.0 0.0.0.255
!
banner motd ^C
CCNP Lab Router
UNAUTHORIZED ACCESS PROHIBITED
^C
privilege interface level 5 shutdown
privilege configure level 5 interface
privilege exec level 5 configure terminal
privilege exec level 5 configure
!
line con 0
exec-timeout 0 0
logging synchronous
!
line vty 0 4
logging synchronous
login local
transport input ssh
!
end
R2:
hostname R2
!
no ip domain lookup
!
interface FastEthernet0/0
ip address 192.168.10.2 255.255.255.0
no shutdown
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.10.04 / 2018.06.11
0 comments:
張貼留言